The C programming code had a check for this already in it. The COMPILER, in optimizing the code, removed the check.
I wonder how many times this happens in all of the various compilers in the world ?
Linux exploit evades security barrier
Summary
A security hole in the Linux kernel, which allows security features in the operating system to be bypassed, affects Red Hat Enterprise Linux 5, according to a security researcher
Topics
A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.
The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.
The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.
It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.
In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.
"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.
Security training organization the Sans Institute called the exploit "fascinating". In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.
"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland — and this finally pwns the box."
In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.
This article was originally posted on ZDNet UK.
Talkback Most Recent of 69 Talkback(s)
-
linux4u20th Jul 2009 -
markbn20th Jul 2009 -
No, it appears to be a compiler bug ...
The optimization process is intended to remove unnecessary code from the binary product. In this case, it inadvertently removes critical code. It is not something that anyone has done deliberately. Its a rather typical bug, which in this case has spectacular effects. It has now been identified, fortunately by a "good guy" and will likely be patched rather quickly.
George Mitchell20th Jul 2009 -
Compilers don't do that
... b/c the principle of a compiler is not to change the semantics of a program, unless it's some open source pretender compiler that, like a lot of other OSS, doesn't know what it is doing.
LBiege20th Jul 2009 -
You misunderstand OSS.
Computer code is written by people, whether OSS or in software companies. There are experts and non-experts in both. What is needed is peer review, which works much better in OSS. Don't be so silly as to think that everybody else is a dunce.
peter_erskine@...20th Jul 2009 -
RE: Linux exploit evades security barrier
Ok, now that I picked myself up off the floor from laughing so hard at just how insecure linux is (which I knew already) and how the the linux fanboys tried to convince me that it was "the safest OS on the planet" I couldn't help but laugh at them. In your face! HAH!
This is yet another security hole in linux and you guys wonder why I would never ever run it. Its always one security issue after the other with linux. Then its compile compile compile every day just to keep it secured. I wonder if they will ever fix that pesky telnet open port issue while they are talking about security.
I am so glad I don't run it except to test it out and that is all of a few minutes before I realize its all the same crap underneath with no improvements. This article is further proof that linux is not ready for the main stream or to be used by anyone. Not until Linus takes himself seriously and starts coding an OS what is worth a damn.
Loverock Davidson20th Jul 2009 -
I don't wonder why you would never run it...
since you are unlikely to try something you fear.
Yes, I can see why you laugh as no other OS's that you may use would ever have security issues... Ever...
I am confused though that you would go through the days of installing and compiling every package only to test for a couple minutes. You must have a lot of spare time. How in demand are your skills?
Viva la crank dodo20th Jul 2009 -
Re:RE: Linux exploit evades security barrier
For your information Its already patched. 2.6.31
rc1
llemm20th Jul 2009 -
WOW! Fixed Aready
Read this story, opened Synaptic, yup... there is a patched 2.6.30 kernel waiting in the repos. Installing now.
That wasn't a problem at all...
Tim Patterson20th Jul 2009 -
Re: WOW! Fixed Aready
The Distros are well aware of this. If you are
using 2.6.29 or lower, you do not need any patch
or something because this exploit is only on
2.6.30 any other versions are safe.llemm20th Jul 2009 -
Thanks
I know.
I'm running a lenny/squeeze/sid mix with 2.6.30-1.
Just installed the patched kernel.
Tim Patterson20th Jul 2009 -
Hmm where have I heard this...
Oh yea! Now I remember. I think it was called confickr or something, wasn't it?
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
gnesterenko21st Jul 2009 -
OS's, bugs, patches...and all of that.
Okay, so can we agree now that no OS immuned to security vulnerabilities?
bmonsterman20th Jul 2009 -
If this is the first exploit you've heard about....
...for Linux then I see why'd you'd make that statement. I don't think anyone in their right mind has said any OS is immune to vulnerabilities. What has been argued are the security measures in place across the different OS's. The fact that this vuln is "spectacular" some what speaks for the fact that there can be alot of security measures to get around in Linux. In this case it looks like one had to be accidentally stripped away.
storm14k20th Jul 2009 -
well now...
"I don't think anyone in their right mind has said any OS is immune to vulnerabilities."
You better check with your PR department, cause thats what we've been hearing about OS X and Linux for a LONG time.
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."gnesterenko20th Jul 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
